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Abstract. We present an extension of System F with call-by-name exceptions. The 
type system is enriched with two syntactic constructs: a union type for programs whose 
execution may raise an exception at top level, and a corruption type for programs that 
may raise an exception in any evaluation context (not necessarily at top level) . We present 
the syntax and reduction rules of the system, as well as its typing and subtyping rules. 
We then study its properties, such as confluence. Finally, we construct a realizability 
model using orthogonality techniques, from which we deduce that well-typed programs 
are weakly normalizing and that the ones who have the type of natural numbers really 
compute a natural number, without raising exceptions. 



Exceptions are a convenient mechanism for handling errors in programming languages. 
Most modern languages use them: Java, ML, C++, .... The main computational features 
of exceptions are: 

(1) One can raise an exception instead of any other expression (or instruction); 

(2) It propagates automatically by default; 

(3) One can catch it only when they need to. 

Exceptions have long been confined to call-by-value languages and are usually presented 
as a mechanism which "cuts through" the normal control flow of a program when raised. 
This is viewing the raising of an exception as an effect of the calculus. Unfortunately, this 
view makes exceptions hard to transpose to call-by-name calculi since those do not cope 
well with effects. 

This is a well-known problem. While in call-by-value the effect of a term t u can be 
simply predicted based solely on the effects of t and u, in call-by-name it also depends on 
the actual term t. Indeed, in call-by-name u may well not be evaluated thus not producing 
its effect (or evaluated many times, producing the effect many times). For exceptions, this 
means that in call-by-name, the fact that u raises an exception does not necessarily imply 
that t u will. Hence in call-by-name, as summarized by S. Peyton Jones et al. [14], "(. . . ) 
the only productive way to think about an expression is to consider the value it computes, 
not the way in which the value is computed" . Based on this observation, they proposed the 
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idea of exceptions-as- values: a value is either a "normal" value, or an "exceptional" one. In 
their framework, exceptions are not effects anymore. And while they present this idea in 
the context of the Haskell programming language, this is a very general idea for exceptions 
in call-by-name calculi. 

From a typing perspective, exceptions are no simple beasts. Indeed, the type system 
should allow the use of exceptions in anypart of a program. What should then be the type 
of the operation for raising an exceptions? A solution, used in ML for instance, is to allow 
the operation of raising an exception to have any type. In [14J, S. Peyton Jones et al. chose 
a similar solution, making exceptional values inhabitants of all types. While simple, this 
solution comes at a price, the loss of type safety with respect to exceptions. The type of an 
expression never ensures that no exceptions can be raised during evaluation. 

If we want the type of an expression to reflect which exception it may raise, a more pre- 
cise typing is in order. For call-by-value languages, since exceptions are effects, a convenient 
and efficient solution is to add to the type system an effect system [13\ [7] . Unfortunately 
and unsurprisingly, this solution is unadapted to the typing of call-by-name exceptional 
values. Indeed, tracking values with types is much more difficult than tracking effects. 

The call-by-name evaluation is well represented amongst type theoretical calculi which 
are at the core of many proof assistants (COQ LEGO [15] . . . . ). We believe this reinforce 
the case for studying exceptions in call-by-name and their precise typing. Indeed, the 
solution of having exceptional values inhabiting all types would be inconsistent in these 
settings. 

This paper proposes a type system for exceptions in call-by-name calculi. By introduc- 
ing the new notion of corruption, this type system is able to track which exceptions may 
escape from a term during evaluation. By using subtyping, this notion is able to cope with 
the automatic propagation of exceptions and to respect the modularity of typing. This type 
system is presented in the context of an extension of System F with exceptions. System F 
is used here as a first step towards more elaborate type theoretical frameworks. 

Meta-theoretical properties of the resulting calculus are proved in particular by exhibit- 
ing a realizability model. While parts of the proofs are given in this paper, more detailed 
proofs of the results presentecH are available in the Ph.D thesis of the author [8]. 

The remaining of the paper is organized as follows. We explain our design in Section [2j 
we justify the kind of exception-as- values we use and describe the three levels of corruption 
our type system distinguishes. We formally present our calculus in Section [3] and state the 
properties it enjoys and Section [J] provides some examples. Then in Section [5] we design 
a realizability model of our calculus that gives some insight on the meaning of corruption 
and we prove its soundness. Finally, we present in Section [6] some related works before 
concluding in Section [7J with future works. 

2. Design of the system 

2.1. Which exceptions-as-values? As stressed above, exceptions in call-by-name calculi 
should be values. But there are essentially two designs for exceptions as values: either we 

1 Remark that imperative language alleviate this problem by making the operation of raising an exception 
an instruction and not an expression. 

2 A notable difference is the presence of lists in the language described in this document, while in [8] the 
data type of lists is only presented for a first-order typed version of the language. 
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encode them explicitly in the language, or we make them primitives. The first option is a 
well-known one and let us first present its drawbacks in order to justify the need for the 
primitive solution. 

Encoding explicitly exceptions is an old idea [20116]: to each type A is associated a type 
Maybe A which is either values of A tagged as correct values or exceptional values (this idea 
is nicely explained, for the Haskell programming language, in [H]). It has later been realized 
that the Maybe type constructor forms a monad I22j. And P. Wadler and P. Thiemann 
proposed in [23] to add effects to monads, allowing for the detection of uncaught exceptions 
in such monadic encoding. However this approach has some drawbacks, namely: 

• Terms using exceptions are crippled by extra clutter. For example, in Haskell, to apply a 
function f : : Int -> Int to a value x : : Maybe Int we are forced to write: 

do a <- x 

return (f a) 

Using exceptions is not as transparent for the programmer as it is in call-by-value lan- 
guages; 

• As remarked in [T4], modularity and code re-use are compromised, especially for higher 
order functions. Consider the following sorting function: 

sort : : (a -> a -> Bool) -> [a] -> [a] 

This function cannot be applied to a comparison function that may raise exceptions such 
as: 

cmp : : a -> a -> Maybe Bool 

Indeed, with monads, we need to know where the sort function uses the comparison in 
order to add the monad's operations; 

• Monads force the evaluation of arguments (in the example above, the evaluation of x 
is forced before the application to f). One could not see that as an inconvenience, and 
this is indeed desirable for most uses of monads (10, states, ...). Nonetheless, this is 
a constraint and it makes exceptions not usable in non monadic call-by-name code. We 
think that this can be avoided for exceptions. 

This leads us to the second design choice: making exceptions primitives. This has been 
first proposed by S. Peyton Jones et al. [14] with imprecise exceptions. The idea is that 
a value of any type is either a "normal" value, or an "exceptional" one. The resulting 
mechanism allows exceptions to be used in place of any other term (as for more traditional 
"call-by- value" exceptions and contrarily to monadic ones). Note that since values may 
be exceptional, we can have for instance, a list, which is fully defined but for which some 
elements are exceptional values (see Section HJ . These exceptions are raised only when (and 
if) the list is evaluated. A main difference with the call-by-value mechanism of exceptions 
is for example that a term like (Xx. 0) (raise e) (where is simply the constant zero and e 
some exception) will reduce to and not to raises. 

Our system, named Fx, adapts this idea to System F, adding it two new term con- 
structions: raise and try. But while the exceptions of |14j are not precisely typed (the 
raising operation is in all types), we propose a type system where the type of an expression 
indicates which exceptions the expression may raise. 
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2.2. Expected properties. The type system we will present enjoys the following proper- 
ties: 

• If a term can raise an exception, its type indicates it. In particular, programs of type N 
are not able to raise exceptions; 

• Programmers can use a term raises in place of any other term. In particular, raise e 
type as a function; 

• Exceptions and their typing discipline do not jeopardize modularity and code re-use. 
A function defined without exceptions in mind still accepts exceptional arguments and 
behave in a sensible way. Moreover, this is done without knowing the actual code of the 
function. 

2.3. Three levels of corruption. We call corrupted, a term that may mention excep- 
tions. Given a type A (say the type N of natural numbers), we distinguish three levels of 
corruptions for the terms related with this type: 

• Terms of A. They are not corrupted, either they do not mention exceptions or the ones 
they mention are caught or erased during reduction; 

• Terms of A t*J {e}. They are terms of A or terms that reduce to the exception e, i.e. reduce 
to raise e (we then say that they raise e). 

• Terms of A^ . They are terms of A that may mention the exception e but do not 
necessarily reduce to it (for instance, if S is the successor function, S (raise e) has type 
N^, but not type Nfe) {e} since it has not type N nor does it reduce to raises). 

Moreover, to handle the properties of corruption, we use a subtyping relation. And in 
particular we have the subtyping: A < A\t){e} < A^ £ >. 

The following section explains why the need to distinguish at least those three levels. 
But one might wonder why we do not distinguish more levels. Like the terms containing 
exceptions but not at top level. Or terms having an exception at a depth of at most 2 (like 
raise e or Xx. raise s but not Ax. Xy. raise e), etc. As of now, while such more precise 
notion may well be sound, we have not study them. The main reason is that they would 
complicate and clutter the type system while we are not convinced they would prove useful 
in practice. 

2.4. Why we need to distinguish these three levels. The construction A t*J {e} is really 
needed because of the typing of the try operation, since for a try to catch an exception in 
its body, this body has to reduce to the exception. 

But because we do not want to change the typing rule of application, the construction 
A\tl {e} clearly does not fulfill all our needs. Firstly, we cannot use it to type S (raises). 
Secondly, given a function M of type A — > B, we cannot apply it to a term N of type A feJ {e}. 
Indeed, M N is generally not of type B fcl {e} (note however that it would be the case in a 
call-by-value calculus). Consider for instance M = Xx.Xy.x (of type A — > (C — > A)) and 
N = raise e, then M N reduces to Xy. raise e which is not of type (C — > A) teJ {e} (since 
it is neither a function of type C — > A nor the exception ej|. 



Note that this is typically this example, of the typing of a term like (Xx. Xy. x) N when iV may raises 
an exception, that makes effect system [13] unsuited to call-by-name exceptions. 
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To solve these problems, we use a second type construction, the corruption of a type 
A by an exception of name e, denoted A^ £ \ The main property the corruption enjoys is a 
good behavior with respect to arrow types: 

{A -» = -> fi{ £ > 

This subtyping equalit}0 may seem paradoxical with the usual subtyping rule of arrow 
(contra- variance to the left, co- variance to the right). This is however justified by the 
realizability model of Section 

Intuitively, terms of type A^ should be seen as terms of type A where some sub-terms 
may have been replaced by raise e (hence, programmers can use raise e wherever they 
want, which, in turns, corrupts the resulting type). Equivalently, while terms of Al*J {e} are 
terms that may reduce to raise e at top-level, terms of A^ are the ones that may reduce 
to raises in any evaluation context. 

Now, with corruption, we can apply a function / : A — > B to a potentially exceptional 
term. Indeed, we have that 

A^B < (A —>■ B)\*) {e} < (A^B)^ = 

Remark that since we use subtyping, there is no need to actually know the term /. This 
allows for modularity: to type the application of some (external) function / to a term it, 
it is enough to know the type of /, and this even when u may raise exceptions but the 
exported type of / does not mention exceptions. This is in particular convenient for prim- 
itive functions like the successor function S, allowing to type-check S (raises) with the 
type without the need to give 5 a complicated type (the type of S is simply N — ► N). 

2.5. Exceptions by the millions. While we have only used one exception names e in the 
above section, it is useful to be able to handle more than one exception at a time. To that 
end, the general type constructions are A l*J A and A A where A is a set of exception names. 

Using sets of exceptions requires some type identification using the following subtyping 
rules: 

(AfeJA')feJA = ^feJ(AuA') 
(A A ) A = ^( AuA ') 
A\*J$ = A 
A® = A 



The subtyping equality A = B is simply denned as shorthand for A < B and B < A. 
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3. Formal presentation 

We present the Fx calculus, an extension of System F with typed exceptions, natural num- 
bers and lists. 

3.1. Syntax, reductions and associated properties. 

3.1.1. Syntax of terms. We consider a countable set £ of names of exceptions and a distin- 
guished set of variables V. 

Definition 3.1 (Terms). A term of Fx is a term generated by the following grammar: 

M, N ::= x \ Xx.M | M N 

raise s j try M withe i— > N 

J S rec j j j j cons j list_rec 

In this definition, variables are ranged over by x, y, . . . while exception names are ranged 
over by e, e', .... Notions of free and bound variables are defined as usual, as well as 
the external operation of substitution (written M{x := N}). The set of all closed terms 
is denoted T and terms are considered up to a-equivalence. Note that the construction 
try M withe i— ► N does not bind the occurrences of e. The term raise e is called an 
exception, e being its name, but, as an abuse of terminology, we also call e an exception. In 
the term try M with e i— > N we will sometimes call M the body and N the handler of the 
try construction. 

To the terms of the lambda calculus, we add the constructions to raise and catch 
exceptions as well as two usual structured data types: the natural numbers and the lists. 

3.1.2. Computation in Fx. 

Definition 3.2 (Regular values). A regular value is a (closed) term of Fx having one of 
the following form: 

RV ::= Xx.M \ 0\ S \ S N | rec | rec M | rec M N 

ill cons | cons M | cons M N | list_rec | list_rec M \ list_rec M N 

Note that SN is a regular value for any term iV and hence S (raise e) is a regular 
value as well. 

Definition 3.3 (Values). A values is a (closed) term of Fx having one of the following 
form: 

V ::= RV | raise e 
where RV is a regular value and e any exception name. 

For well-typed term, a value corresponds to a weak head normal form. 

Definition 3.4 (Computation). The notion of reduction > for the calculus is defined by the 
rules of Figure [TJ Computation in Fx is defined from the notion of reduction by the relation 
of reduction y whose rules are given in Figure [2J We note the reflexive and transitive 
closure of y and we note = its reflexive, transitive and symmetric closure. Moreover, if 
M = N, we will say that M is equivalent to N. 
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raise e 



Figure 1: Notion of reduction for Fx 
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■* N y try M withe iV' 



Figure 2: Relation of reduction for Fx 



Note that, as usual, the scope of capture of the try construction is dynamic: in the 
term (\x. try x with e 1— * 0) (raise e), the exception is caught during reduction and the 
whole term reduces to 0. We say that a term M raises the exception e if M y* raise e 
(that is, if M reduces to the exception named e). 

Definition 3.5 (to have a value). We will say that a term M has a value if and only if it 
reduces to a value, that is if there exists a value V such that M y* V. 

It can be proved [8] that this notion is equivalent to the one of having a normal form 
for the weak head reduction of the calculus. 

We now show that adding raise and try does not break the confluence of the calculus: 

Theorem 3.6 (Confluence). If M , N and N' are terms such that M y* N and M y* N' , 
then there exists a term P such that N y* P and N' y* P. 

Proof. We adapt the proof originated by Tait and Martin-L6f for the confluence of pure 
lambda-calculus that can be found in PQ for example. We define the notion of parallel 
reduction 3> for Fx, we show that it satisfies the diamond property and conclude since 
y* = ~^>*. Proofs of these properties are easy to tackle inductions we leave to the interested 
reader. We however give in appendix |A] the definition of the parallel reduction for Fx. □ 
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3.2. The type system. As stressed in Section [2. 3} Fx uses a subtyping relation <. Thus, 
Fx is in fact an extension of the second-order lambda calculus with subtyping introduced 
by Mitchell \10\ [23] (and we will call this calculus System Frj in the following). Note that 
we will however use a presentation of this calculus that differs from the original one and 
that can be found for example in |19j . 

Definition 3.7 (Types). The syntax of types for Fx is built upon the one of System F. 
Type of Fx are generated by the following grammar: 

A, B ::= a | N | A list | A -> B \ Va. A \ A feJ A | A A 

In A& A and A A , A is a finite set of exceptions names (A C £). Moreover, a stands 
for a type variable taken from the set of type variables A. Notions of free and bound 
type variable are defined as usual, as well as the external operation of substitution (written 
A{a := B}). We denote by FV(A) the set of all the free type variables of the type A. 
Types are considered up to a-equi valence. Precedences for the arrow construction and the 
universal quantifier are the usual ones; the precedences of j4WA and A A being higher. 
Moreover, we will often write A list A for (^4 list) A . 

3.2.1. Typing. 

Definition 3.8 (Typing context). A typing context T is a finite set of declarations having 
the form V = x\ : A%, . . . , x n : A n where xi, . . . , x n are pairwise distinct term variables and 
where A±,...,A n are arbitrary types. 

The set FV(T) of free variables of T denotes the union of the sets of free type variables 
for the types used in T, that is to say: 

FV(x 1 :A 1 ,...,x n :A n ) = (J FV{Ai) 

i e {l...n} 

Definition 3.9 (Typing). The type system of Fx is defined from the typing judgment 

T h M : A 

that reads 'in the typing context T, the term M has type A\ This judgment is inductively 
defined by the rules of Figure [3l 

Remark that the typing rules from System Frj are unchanged, we simply add rules. 
Also note that the usual typing rules for the recursion operators can be retrieved from (rec) 
and (fold) by taking A = (theses rules are in fact typing schemes). 

3.2.2. Subtyping. 

Definition 3.10 (Subtyping). The subtyping relation between two types A and B, written 
A < B, is inductively defined by the rules of Figure [U 

The equality A = B is defined as short for li A < B and A > B" . In the inference rules, 
when the equality A = B appears as a premise, it figures for the two premises A < B and 
A > B. And when it appears as a conclusion, it figures for two inference rules, one having 
A < B as a conclusion, the other one having A > B. 

The subtyping rules from Fry are unchanged. The rules (ex-noexc), (eq-uu) and (eq- 
cc) dealt with sets of exceptions. The hierarchy of corruption (see I2.3|) is implemented by 
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System F77 typing rules: 

(x:A)€T , . T,x:AhM:B . , , V ^ M : A ^ B T h N : A , . 

Th^TX ^ ThXx.M-.A^B (ab8) ThMN:B (app) 

ThM:A a<£FV(T) , . T h M : A A < B . , , 
rhM:Va.A ^ YVWTB (subs) 

Natural numbers typing rules: 



(zero) ~p i— c . . m ( succ ) 



rhO:N l / rhS:N^N 



( T6C ) 

r h rec : Va. a feJ A -> (N A -> a feJ A -> a W A) -> N A feJ A' -» a fcJ (AU A') 

List typing rules: 



r h [ ] : Va. a list T h cons : Va. a — > a list — > a list 

x x (fold) 

r h list_rec : Va. V/3. a teJ A (f3 A -> /? list A -» a t*J A -> a UJ A) 

-> /3 list A WA'^aW (AuA') 

Exceptions handling typing rules: 

, . . r h M : Awls) r h iV : ,4 , , 

f raw ^ FuT— TT^t-t— „. , (try) 



r h raise e : Va.afeJ{e} r h try M with e ^ N : A 



Figure 3: Typing judgments 



(ex-uni) and (ex-corrupt). The rules (ex-fallc) and (ex-fallu) are justified by the absence 
of computational content of the universal quantification. Moreover, corruption and union 
commutes (eq-uc). 

The subtyping is stable by union (ex-ctx), but also by corruption (this is proved by 
Theorem 13. 1 lj) . Rule (ex-arru) simply says that, since a term M of type {A — > B) feJ A is 
either a term of type A — > B or an exception of A, it can always be applied to a term of 
type A, resulting in a term of type B (if M is a true function) or an exception of A (if so 
is M). 

As discussed in Section [2^1 the rule (eq-arrc) is the main rule of corruption and allows 
exceptions to be used anywhere. Note that we really need an equality here on pain of losing 
the subject-reduction property. 

Finally, the list construction is monotonic (rule (ex-lcor)) and a list of corrupted ele- 
ments is in particular a corrupted list (rule ex-lctx). 

The subtyping associated to the notion of corruption is a quite flexible one, especially 
with respect to arrows. As noted in Section f2.4l it allows to derive 

A\ —* A2 —>...—> A n < yl A — > A A —>...—> A A 



10 



S. LEBRESNE 



System Ft/ rules : 

, , ■ , . A < B B <C ... , A' < A B < B' f 
(st-ia) (st-trans) (st-arrow) 

1 7 A «< n A i T3 <^ A> i T3l ' 



A < A A < C A^B < A' -> B 

A < B a£ FV(A) 



(f-gen) — — (f-inst) 

< A{a :-- 

(f-distr) 



A<\/u.B ' Ma. A < A{a := B} 

a<£FV{A) 



Ma. (A -> 5) < A^Ma.B 
Exception related rules : 

(ex-uni) — (ex- corrupt) 



A < ^ISJA AfclA < A A 

— (ex-noexc) 

A® < A J 

A < B 



fex-ctx) (ex- arm) 

At*JA < BtiJA (A^ B)H)A < A^ B\t)A 

(ex- folic) (ex-fallu) 



Ma.A A < (Ma.A) A Va.(ifeJA) < (Va.A)telA 

(ex-lcor) — = — (ex-lctx) 



A A list < A list A A list < B list 

Exception related equality rules 



(eq-uu) — t — —, n — T77 (eq-cc) 

(AfeJA)wA' = ^W(AUA') (A ) = A^ ^ 

(eq-uc) - — — — — (eq-arrc) 



(AteJ A) A ' = 4 A 'wA {A^B) A = A A — > B 



Figure 4: The subtyping relation 

but also that A A -► B < A A -» B A or that A -» 5 A < A A -> £ A for instance!. How- 
ever, what the subtyping of corruption forbids is the removable of corruption in covariant 
position. That is, corruption allows the use of functions with exceptions they do not handle 
themselves, but it then always ensure that the return type mentions those exceptions. 

3.2.3. Typing the recursion operations. Fx uses natural numbers and lists. To work with 
these data types, we have equipped the calculus with recursion operators (rec and list_rec) 
of Gdel's System T[6]. However, in the presence of exceptions, the usual typing of these 



^Proofs for all those relations follow the same pattern. Corruption is introduced on the right with (ex- 
uni) and (ex-corrupt) and is then distributed over the operands of the arrow with (eq-arrc). Lastly, double 
corruption ((A A ) A ) is eliminated with (eq-cc) if needed. 
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operators is not precise enough. Indeed, consider the case of the natural numbers. The 
usual typing rule of the recursion operator rec is 

Va. a — > (N — > a — ► a) — > a — ► a, 

and hence, using the corruption type and its associated subtyping rules, it also has the type 

Va. a — > — > a ^ a ) ^ a — ► a 

for any set of exception names A. However, this last type is not precise enough and for 
instance, it does not precisely account for the reduction rule 

rec X Y (raise e) >- raise e. 

Dealing with this imprecision is the reason of the addition of the set A' in the typing rule 
of rec (rule (rec) of Figure [3|). Moreover, the function eval which will be introduced in 
section H] reveals another imprecision. Given a corrupted natural number, this function 
returns either a well formed natural number or an exception at top-level. But to give this 
function the type we want, that is to say the type N A — > NfeJA, we need the addition of 
the set A in the typing rule of the recursion operator (rule ( rec ) of Figure [3]) . The typing 
rule of the recursion operator listjrec follows the same modifications. 

3.3. Properties of typing. The subtyping relation is stable by corruption: 

Theorem 3.11. If A and B are two types such that A < B, then for any set of exception 
names A, A A < B A . 

Proof. We proceed by induction on the derivation of A < B. All the cases are easily 
resolved since corruption commutes with all type constructions. For example, taking the 
case of rule (ex-arru), we have to show that {(A — > B)\*)A') A < (A — > B\*)A') A . But 
using rule (ex-arru), (A A — > B A ) feJ A' < A A — > B A IsJ A' and we conclude using the fact 
that (A A — > B A ) teJ A' = ((A -> B) WA') A and A A -» B A \t)A' = (A^BwA') A . □ 

A few remarkable subtyping rules are also easily derivable from the ones of Figure HI 
Theorem 3.12. The following subtyping relations hold: 

AfeJ0 < A 
(Vq.^)isJA < Va. (AteJA) 
(Va.A) A < Va.(A A ) 

Proof. Proof of AlsJ0 < A comes from rules (ex-corrupt) and (ex-noexc). The proofs for 
(Va.A)wA < Va. (^WA) and (Va.A) A < Va. {A A ) are similar. For instance, for the 
former one, we use (f-inst) and (ex-uni) to show that Mot. A < A l*J A. Then, using (ex-ctx) 
and (eq-uu), we show that (Va. A) feJ A < A\t) A. And we conclude with (f-gen). □ 
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(c-id) rn^4— (c-rai) r~^# ^~ „ fc-kmj 



M C A M 1 7 M C A raise e l 7 Xx.MQ A Xx.t' 

M Ea M 7 jV Ea JV 7 / M C A M' jV Ea AT 7 , 

M N C A M' N' ( c ~ app J try M withe i-> N C A try M' withe h-> AT' ( °~ Ty) 



Figure 5: Corruption relation 



Definition 3.13. The corruption relation C A between terms is inductively denned Figure[5j 
To have M C A N means that N is obtained from M by replacing some sub-terms in any 
position by raise e, e belonging to A. 

Thus, Theorem 13.141 formally states that, in term of programming, exceptions can be 
used in any place, but with the added cost of corrupting the type. 

Theorem 3.14 (corruption). If M and N are two terms, A a type and A a set of exceptions 
such that rh M : A and M C A N, then T h N : A A . 

Proof. This theorem is proved by induction on the statement M C A N. The proof presents 
no major difficulty as long as we first prove the three following "inversion" results : 

(1) If M is a term, A a type and T a typing context such that 

r h Xx.M : A, 

then there exists a set of type variable ~a £ FV(T) and two terms B and C such that 
Va. (B — > C) < A and T, x : B h M : C. 

(2) If M and N are two terms, A a type and T a typing context such that 

T h M N : A , 

then there exists a term C such that T h M : C — > A and T \- N : C. 

(3) If M and N are two terms, A is a type and T is a typing context such that 

T h try M with e ^ N : A, 
then r h M : ^4 UJ {e} and T \- N : A. 
Proofs of these three results are straightforward inductions on the derivation of the initial 
typing judgment. □ 



4. Examples 

A simple yet classical function on natural numbers which can raise an exception is the 
predecessor function. In Fx, we can define: 

pred = rec (raise e) (Xx.Xy.x) : N — ► N feJ {pred_err} 

It has the expected reductions, i.e. pred y* raise e and pred (S N) N. We can then 
define a "safe" predecessor pred' from pred which returns when applied to 0: 

pred' = An. try (pred n) with pred-err i— > : N^N 
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Having exceptions, it is possible to define the functions that return the head and the 
tail of a list: 

hd : A list -> A l*J {hdjail} 

= list_rec (raise hd_fail) (Ae. XL A_. e) 

tl : A list -> ^4 list te) {tljail} 

= list_rec (raise tl-fail) (Ae. A/.A_. Z) 

We can also define the Euclidean division (dro : N — > N — > N fe) {div_by-0}) and the 
mapping of a function to a list (map : Va. V/3. (a — > /?) — ► a list — > /3 list). The type 
system being modular, we can (and will) use these two functions without having to exhibit 
a particular implementation. But using them allows us to define the following function that 
maps the function n i— » to a list: 

/ : N list -» (N^ red - err ^{div-by_0}) list 
= map (Xn.div 10 (pred n)) 

Remark that the result is always a list but that can contain exceptional values. For instance, 
/ [2; 1; 5] computes the list [5; raise div-by-0; 2] which does not reduces to raise div-by-0. 
Again, exceptions are values that propagate only when used. Now we can get the first 
element of the result of this function with: 

g : N list — > N^ pred - err ' div - by - ^ \t) {hdjail} 
= Xl.hd(fl) 

We can apply g to some argument and catch the exception hd-fail with a try, but we cannot 
catch the two other exceptions since these ones are not necessarily at top-level. If we want 
to catch them, we need a function that evaluates a natural number potentially corrupted 
and returns either a well formed natural number or an exception. It is the purpose of the 
following function: 

eval : N A -» N feJ A 

= An. (rec (Aa. a) (Am. Xr. Aa. r (S a)) n) 

With this function, we can now capture the exceptions that can appear in the result of the 
function g above. That is what the following function does (where we use a straightforward 
shortcut allowing the try to catch all the exceptions): 

h : Nlist^N 

= XL try (eval (g I)) 

with pred_err, div-by-0, hd-fail \—> 

Note that for instance h [2; 1;5] will return 5 in our system since the part of the list that 
would yield an exception (the second element after the mapping) is never used (we only use 
the head of the list). In contrast, a similar function in say Caml would have yielded 0. 

5. Realizability model 

We will define a realizability model for Fx using techniques of orthogonality (see |12l [20j for 
examples of use of such techniques) . The choice of those orthogonality techniques is mainly 
motivated by two reasons: we believe that it offers a nice way to handle second order and 
it will come in handy for the definition of the interpretation of corruption, allowing a much 
more simple definition than a "direct" model would allow. We start by introducing a few 
definitions necessary to the construction of the model. 
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5.1. Daimon and contexts. We add a new and distinguished term, the daimon (de- 
noted >i<) similar to the one of [5]. This term computationally behaves like an uncatchable 
exception. We also introduce the new term construction M; N. This construction tests 
if M is the daimon and if so, return N. Otherwise, it does not reduce. The reduction 
rules for these two additions are given Figure [6l Moreover, iji is added to the definition of 
value. Note that none of these constructs have typing rules and as such, they cannot be 
used in well-typed terms. It can also easily be proved that they do not break the confluence 
property of the language. In those respects, they are only convenient technical addition for 
the model and should not be considered as inherent part of the language. 



* N 


> 


* 


try ►& withe i-> N 


> 


* 


reciy* 


> 


* 


list_rec X Y % 


> 






> 


N 



Figure 6: Reduction rules for 5< and ;. 

The daimon has two purposes in the model. First, it will inhabit all type interpretation, 
property that will be used to show that all the terms of the interpretation are weakly 
normalizing (see Lemma 15. 13H . Secondly, our model is a realizability one, types will be 
interpreted by sets of terms. But the principle of our orthogonality model is to not define 
those sets directly, but instead to first define the interpretation of types as sets of evaluation 
contexts. Then, to each such set S of evaluation contexts is associated the set of all the 
terms that "behave correctly" for all the contexts of S. This notion of a term M "behaving 
correctly" in a context C is the orthogonality relation. For our model we chose it to be that 
M put in the context C reduces to this distinguished term »i<. But to define formally this 
orthogonality relation, let us first define formally the evaluation contexts we will use: 

Definition 5.1 (Context). A context is a term with a hole (denoted by [ ]) defined by: 

C ::= [] | C N | tryCwithe ■-> * | rec M N C \ list_rec X Y C 

The set of all contexts is noted C and the term obtained by filling the hole of a context C 
with the term M is noted C[M]. 

Note that our definition of context is more restrictive than the usual one (where a 
context is any term with a hole). Actually, save the restriction in the handler of try to ^ 
(which will allow for a simpler interpretation of corruption) , our contexts are the evaluation 
contexts of call-by-name evaluation. 

Moreover, we will not care about the order of two adjacent try in a context. Since the 
set of all exception names 6 is countable, we can fix a priori a bijection <j> : £ — > J\f and 
we define the following notation: 

Notation 5.2. If A is a (finite) set of exception names, then try [ ] with A is a notation 
for 

• the context try (. . . (try [ ] with e\ \— > *B) . . .) with e n i— > if A ^ and if £\, . . . e n are 

the elements of A arranged according to <j> (that is, 4>{ex) < . . . < (p(e n )). 
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• the empty context otherwise (if A = 0). 
Contexts have the following property : 

Lemma 5.3. If C is a context and M is a term such that C[M] has a value, then M has 
a value. 

Proof. By case on the form of the context C and by induction on the length of the reduction 
of C[M] to the value. No case raises specific difficulties. □ 

5.2. Orthogonality relation. 

Definition 5.4 (Orthogonality relation). If M is a term and C a context, then MIC 
(and we say that M and C are orthogonal) if and only if C[M] >-* *h. 

Moreover, if S is a set of contexts, we define the set of terms S 1 - by 

S ± = { M | VC ES, M J_ C } 

Note that as with any orthogonality relation, we can easily check that _L verifies the following 
properties: 

Lemma 5.5. If S and T are two context sets such that S C T, then T 1 - C S^. 

Lemma 5.6. If I is any set and (Si)i € [ is a family of set of contexts indexed by i, then 

5.3. Operations on sets. We recall the two standard definition of concatenation • (of a 
set of terms and a set of contexts) and composition o (of two sets of contexts) : 

A ■ S = { C[[] N] | C € S, N € A } 
SoT = { C[D[]} \ C eS, D <ET } 

For instance, 

{0, 1} • {try [ ] with e i-> = {try ([ ] 0) with ek^, try ([ ] 1) with 
{try [ ] with e h-> [ ] (\x. x)} o {[ ] 1} = {try ([ ] 1) with e h-> ([ ] 1) (Xx. x)} 
We then define two operations on sets of contexts: 

l A S = So { try [] with A } 
IaS* = { try [] with A } o S 

and thus, for instance, 

Ci = | A (rec (Ax. Ay. y) [ }) = { rec (Xx. Ay. y) (try [ ] with A) } 
C 2 = Ta (rec (Ax. Ay. y) [ }) = { try (rec (Ax. Ay. y) [ ]) with A } 

and if e <G A, 

C\ [raises] = rec (Ax. Ay. y) (try raise e with A) >-* *b 

C±[S (raise e)] = rec (Ax. Ay. y) (try S (raise e) with A) y* raise e 

C2[raisee] = try (rec (Ax. Ay. y) (raise e)) with A >-* ^ 
C 2 [S (raise e)] = try (rec (Ax. Ay. y) (S (raise e))) with A >-* 
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It can be checked that by definition we have the following equalities: 

Ta^4 ■ S) = A- ] A S 

U(iA'S) = Ia'(TaS) 
Moreover, we have the following lemma: 

Lemma 5.7. If S is a set of contexts and A and A' are sets of exception names, then 

(UiU'8)) 1 - = (UuA>S) x 

Proof. We only give the proof for (Ta (Ta' S)) ± = (TauA' S) 1 ' since the other one is similar. 
We show two inclusions: 

• We show that (Ta (Ta' S)^ C (TauA' S)^. 
Let iG (|a (Ta' S)) ± and Cg TauA' S, by definition C = try D with (AuA') where 
De S. Hence try (try D[t] with A') with A y* and 

- either D[t] but then C[t] y* 

- or D[t] raise e when e G A' or e G A. But then again, C[t] y* 
. We show (TauA' S) 1 " C (Ta (Ta' S))" 1 : 

Let iG (TauA'5') ± an d Cg Ta (Ta' S), by definition, C = try (try .D with A') with A 
where D G S. Hence try D[i] with (AuA') >-* ►& and 

- either D[t] >~* but then C[i] ^* 

- or ^* raises when eG AuA'. But then again, C[t] y* □ 
Along with the definition of |a , this lemma implies (A ■ Ta (Ta' = (A • TauA' S) . 



5.4. Model definition. We call valuation function any function p from type variables to 
the power set of C minus the empty set (p : A — > (V(C)) + ). To each type A we associate 
two sets: 

A set of contexts | A \ p C C 
A set of terms l-A.Jp Q T 

The set l_AJ p is uniformly defined from \A\ p by 

M] p = | A |/ = { M | VC g | A \ p , M 1 C }. 

The set | ^4 L is defined by induction on A. Its definition is given Figure [71 

Note that the interpretation in the model of the construction A t*J A and A^ follows, to 
some extends, the idea that terms of type A feJ A are terms that may raise an exception only 
at top level, where terms of A^ are those that may raise an exception in any evaluation 
context. This is emphasized by the "opposition" of the operations J,a an d Ta • Remark 
that it is only the restriction to >5 in the handlers of try contexts that allows for such a 
simple definition of the interpretation of corruption. Indeed, thanks to this restriction we 
ensure that for any context C, C[raisee] will always reduce to raise e or ^B. 

The other interesting point of the model is the interpretation of arrow types. In Fx, a 
function / which has type A —> B has also all the types A A — > B^ for any A. Our arrow 
type is thus smaller than the usual realizability one and so, functions of Fx are in particular 
realizability functions. More formally, 
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Figure 7: Definition of the | ^4 L set of contexts 

Lemma 5.8. // A and B are two types and p a valuation function, then 
\A^B\ p = {~){M\VNelA A } p , MNe{B A j p }. 

ACS 

Proof. We prove the two inclusions forming the equality separately, both being simple con- 
sequences of definitions. □ 

We can moreover show that the interpretation of A UJ A is a union and that the inter- 
pretations of the natural numbers and the lists are standards: 

Lemma 5.9. If A is a type, A a set of exception names and p a valuation function, then 

lA\t)A} p = {Ajp U { M \ M >~* raisee, eG A }. 
Proof. By definition, 

{Ai£)Aj p = (| A |4|/ = {M | VC G \ A\ P , C[tryMwithA] y* * } . 
We show each side of the inclusion separately: 

• For MG { t | VC G | A \ p , C[try M with A] >-* ►& } we have try M with A G \A\ p . 
Hence try M with A has a value (Lemma l5.13p and M as well (Lemma 15. 3p : 

— Either M y* raisee for e G A and we conclude directly. 

— Or M y* V where V is a regular value and then try M with A y* V . But the 
interpretation being closed by equivalence (Lemma l5.12|) . V £ IA} P and M G [-A]p. 

• Let MG {Ajp U { M | M y* raisee, e G A } and let C G | A \ p . We have to show 
C[try Mwith A] y* *: 

— If M y* raise e for e G A, then try M with A y* and C[try M with A] y* 

— Otherwise, MG [^4]p and then try M with AG \A~\ p (because, M having a value 
(Lemma l5.13p . there exists V such that M y* V. But then try Mwith A y* V and 
we use the closure by equivalence of the interpretation (Lemma 15. 12ft ). Finally, using 
the definition of orthogonality, C[try Mwith A] y* □ 
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Lemma 5.10. If p is a valuation function, A a set of exception names and if represents 
one o/0, or raise e for some e e A, then 

lN A j p = { M | M y* S n $,n€ N }. 

Proof. In the following, will always represent one of 0, ^ or raises for some £ e A. 

• If for some integer n, M y* S n <3?, then by induction on n it is easy to show that 
try (rec ^ (Ay. Ax. x) M) with A y* 

• If Me [N A ]]p, then there exists k such that try (rec ^ (Ay.Ax.x) M) with A >- k 
Hence, we show by induction on k that for any k! < k and for any term M: 

if try (rec * (Ay. Ax. x) M) with A y k ' * then M y* S n $ 

— We cannot have k = since try (rec ^ (Ay. Ax. x) M) with A is not 

— We have try (rec (Ay. Ax. x) M) with A >- N >- k ^. But the first reduction can 
only occurs either if M is 0, ^ or raises (and in the last case we have ee A), or if 
M is 5 M' . In this last case, we easily conclude using the reduction of rec and the 
induction hypothesis. □ 

Lemma 5.11. If p is a valuation function, A a type, A a set of exception names and if 
represents one ofO, ^ or raises for some ee A, then 

{(A list) A ] p 

= { M | M >-* cons ao (. . . (cons a n 

Proof. The proof follows the same structure as the one of Lemma 15.101 □ 



5.5. Model properties. 

Lemma 5.12 (closure by equivalence). If M and N are two terms, A is a type and p is a 
valuation function such that M e lAJ p and M = N , then 

Ne\A\ p . 

Proof. Let Me {AJ p and M = N. Let Ce \A\ p , by definition C[M] y* But since 
M = N, C[M] = C[N]. Thus, by confluence of the reduction (theorem ESI) , C [ N \ ^* * 
and N £ lAJ p . □ 

In particular, the interpretation is closed by reduction and anti-reduction. 

Lemma 5.13. If M is a term, A a type and p a valuation function such that Me lAJ p , 
then M has a value. 

Proof. By definition Me {Aj p yields Me { M | VC £ \A\ p , C[M] y* * }. Thus, if 
C e \A\ p , C[M] has a value and, using Lemma 15.31 we have that M has a value too. We 
simply have to make sure that there always exists such a context C, that is | A \ p is never 
empty. But for any type A, it can be easily proved by induction on A that | A \ p ^ 
and >$<e {AJ p (remark that both properties have to be proved simultaneously since the 
non-emptiness of | A — > B \ p depends upon the non-emptiness of \_A~\ p which comes (by 
induction hypothesis) of the non-emptiness of | A \ p ). □ 



A TYPE SYSTEM FOR CALL-BY-NAME EXCEPTIONS 



19 



Lemma 5.14. If A is a type, p a valuation function and A a set of exception names, then 
for all e G A, raise e G [ A A j p . 

Proof. Let C G | A A L, by definition C = {try [ ] withA}oD where D6 | A | p . We can easily 
show that either Dfraisee] or Dfraisee] raise e. In any case, C[raisee] y* >R. 

□ 

An important and essential property of the model is that it validates the subtyping rule 
(eq-arrc): 

Lemma 5.15. If A and B are two types, p is valuation function and A is a set of exception 
names, then 

l(A^B) A } p = {A A ^B A } p 
Proof. Using Lemmas 15,61 and 15.71 we have that 

I (A - B) A } p = p| ((|a' I A • TauA' I B \ p f 

A' C£ 

lA A ^B A } p = p| ((TauA'MIp) 1 - TauA'I^I^ 

A'CS 

It directly follows that [ (A -» B) A Jp C [ A A — > B A } p . 

For the other inclusion, let Me \A A -> 5 A J p . If A' is a set of exception names and 
if C G I A Ip)" 1 • TauA' I B \ p , since we can show that (f a' I ^4 Ip) -1 C (TauA' I -A Ip) -1 we 
have C G (TauA' I ^4 \p) ± ■ TauA' I B \ p and we conclude. □ 
Lemma 5.16. The interpretations validate the following equalities: 

\(Va.A) A \ p = \Va.A A \ p 

\(Va.A)\*)A\ p = \Va.A\t)A\ p 

|(^feJA) A '|p = |(A A >A|p 

l(A A ) A '} p = M AuA ']p 

[(iWA)«A'] p = [AfeJ(AuA')l P 

Proof. The three first equalities are direct consequence of the definitions, the two last are 
direct consequence of Lemma 15.71 □ 



5.6. Model soundness. We first show that subtyping is sound with respect to the inter- 
pretation we have defined. 

Lemma 5.17 (Subtyping soudness). If A and B are two types and p a valuation function 
such that A < B, then for any set of exception names A, 

IA A } P CIB A } P 

Proof. We reason by induction on the derivation of A < B. Many cases are either trivial 
{(st-id) and (st-trans)) or direct consequences of the lemmas we have defined so far. We 
only give in the following the cases that do not belong to one of these categories: 
(st-arrow): Consider AC £ and Me ((A -» B) A j p = (A A -» B A \ p . We now have 
to show that M G [ {A' -> B') A } p = { A' A -> B' A j p . For C G | A' A -> B' A \ p we will es- 
tablish C[M]y**. By definition of | A' A -> B' A \ p , there exist A', N G [y4 /AuA ']p and 
D G | |p such that C = D[[] N}. By induction hypothesis, [ A' AuA ' } p C J A AuA ' ] p . 



20 



S. LEBRESNE 



But since M G [ A A — > # A J P , using Lemma EH we have M N G [£ AuA '] p . Then by 
induction hypothesis, [5 AuA ' ] p C [£ /AuA ' ] p and finally, C[M] = £>[M AT] *. 

(f-gen): For A C f and Me[A A ] p we will show that M G [ (Vq. B) a ] p = [Va. 5 A J p . 
Let C G | Va. B A | p , there exists 5 such that C G | B A \ p . a ^s- Moreover, since a FV(A), 
we have M A Jp = lA A } P]a ^s- And since lA A j p]a ^ s Q lB A j p]a ^ s by induction hy- 
pothesis, MelB^^^s and finally, C[M] >-* *. 

(f-inst): Given A C we will show that | (j4{a := -B}) A \ p C. | (Va. ^4) A \ p and then con- 
clude by orthogonality (Lemma [53]) . Let C G | (A{a := -B}) A \ p , we show by a straight- 
forward induction on A that | (A{a := -B}) A \ p = \A A \ p - a t-\B\ • Moreover, by defi- 
nition of |Va.^4 A | p , we have |^4 A | p;a ^|B| C |Va.^4 A | p , from which if follows that 
C G | Va. A A \ p = | (Va. yl) A \ p . 

(f-distr): Consider A C £ and t G [ (Va. (A -» £)) A J p = [ Va. (A A -> £ A ) J p , we will 
show that te [(4 -> Va.5) A J p = [^ A -> Va.£ A ] p . Let C G | ^ A -» Va. B A | p , by def- 
inition there exists A', u G |^ AuA ' j p and D G | (Va. 5 A ) A ' | p = | Va. 5 AuA ' | p such that 
C = D[[ } u). Then there exists S such that D G | J B AuA ' \ p - a ^s and since a ^ FV(A), 
u G [ A AuA ' ] p -a<-s- Thus by definition of [Va. (^ A -» # A ) ] p and using Lemma ESI we 
have t uG [B AuA '] p;a ^ s and finally C[t] = D[t u] *. 

fez-arrwj: Consider A C £ and t G [ ((4 -> B) teJ A') A ] P = [ (vl A — > i? A ) te) A' ] p , we 
have to show that t G [ {A -> B W A') A ] p = [ A A — > £? A teJ A'] p . Consider A" C £ and 
uG JA AuA "] p , using Lemma E3 we must show that t u£ [l? AuA " t±J A'] p . But using 
Lemma 15.91 we have: 

• Either t y* raise e for eG A', but then t u >-* raise e and hence using Lemma l5.9j, 
tue [S AuA "teJA'l P . 

• Or t G fA A — > B A ~l p and using Lemma 15.81 t u£ [i? AuA J p which in turn gives 
t ue [5 AuA "teJA'J p (LemmaEH]). 

(ex-ctx): This case is trivial with the use of Lemma 15.91 
(ex-uni): This case is trivial with the use of Lemma 15.91 

(ex-corrupt): We need to show [ (.4 ttJ A') A J P = [^ A WA'J p C I(^ A ') A ] P = M AuA ' ] p . 
But [ A A te) A' ] p = [ A A j p U { t | t raise e, e G A' } and it can be easily shown that 
if A C A', then {A A ] p C [ A A ' ] p and that if e G A, then raise e G [ A A ] p (Lemma EH) . 

□ 

We define the interpretation corrupted by some set of exception names A (eventually empty) 
of a typing context V by: 

[r A ] p = {a\V(x:A)eT, a(x)elA A %} 

Moreover, if a is a substitution of term variables and M is a term, we use the notation M[cr] 
for the parallel substitution of M by a, which consists in applying a to all free variables of 
M in parallel. We can now show that our interpretation is sound with respect to typing: 

Theorem 5.18 (Model soundness). If M is a term, A a type and T a typing context such 
that r h M : A, then for all valuation function p, for all set of exception names A and for 
all substitution a G [T A ]] p; we have M[a] G [^4 A J p . 

Proof. We use induction on the derivation of V h t : A. Note that since lA} p C [yl A J p 
(Lemma I5.17p . we will only show that t[a\ G \A\ p when possible. We give here only the 
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interesting cases. The other cases are either simple ((ax), (subs), (zero), (succ), (nil), 
(cons)) or, for (fold), follows closely the structure of the proof for (rec). 

(abs): Let Cg | (A -> B) A \ p = \ A A -> B A \ p , we need to show that C[Xx.t[a}} y* *. 
By definition, there exists A', uG[A A ' ] p and D G | £( AuA ') | p such that C = £>[[] «]. 
Then, if 5 = a + {x -» u}, we have 5 6 [ (T, x : ^)( AuA ') J p (cr G [ T A ' J p C [ r( AuA ') J p and 
u G [ A A ' ] p C[,4 AuA ' ] p ), and also by induction hypothesis, t[6] G [5( AuA ') ] p . However, 
(Ax.ifu]) u y t[5] and [i?^ AuA ^] p is closed by anti-reduction (Lemma 15. 12 j) . and thus 
(Ax. M[a}) u G |S( AuA ') J p and finally C[Xx. M[a}\ = D[(Xx. M[a\) u] y* *. 

(app): We easily conclude using Lemma I5TH1 

f gen): Let C G | (Va. A) A | p = | Va. A A L, by definition there exists S non empty such that 
CG |vl A | P;a ^s- Moreover, since a(£ FV(r), [r A ] p = [r A ] p;a <_ s . It follows that by 
induction hypothesis, t[a] G IA A ] p;Q ^ 5 . Finally, C[t[a}] y* * and i[cr] G [ (Va. yl) A ] p . 

(rec): We have to show that 

rec G [ Va. afelA^(N A ^afe)A^al*JA)^N A l*JA'^aW (AuA') ] p . 

Using Lemma 15. 8} we have to show that for any non empty set of contexts S, for any 
Ai, A2 and A3 and for 

z G [a Al WA] p;a< _ 5 

/ G lN AlUA2UA ^a AlUA2 WA^a AlUA2 WA] p . a ^5 

n G lN A ^ uA2UA 3fejA'l P;a ^ s 

we have rec z f ne [a AlUA2UA3 l*J (AuA') ] p;Q< _s. With Lemma we have either 
n ^* raises for e£ A' (and we easily conclude), or n G [N AlUA2UA3UA ]] p;Q ^s. In 
this last case, there exists some k such that n y* S k § where <& is one of 0, or 
raises for eG A1UA2UA3UA (Lemma 15. 10[) . We then proceed by induction on k. 
If k = (n y* we easily conclude in each case of <3?. Otherwise, we must show 
that rec z f (S [S k <&)) G [a AlUA2UA3 W (AuA') J p;a ^s. But rec 2 / {S {S k $)) >- 
/ (S* $) (rec 2 / (S k $)). We then conclude using Lemma l5?8l with /, the fact that 
S k $G [pjAiuAauAauAj^ (LemmaEE} and the induction hypothesis. 
(raise): It is a direct using Lemma 15.91 

(try): By induction hypothesis, t [a] G [ (A feJ A) A j p = [ ^ A 1*1 A ] p and u[cr] G [ A A j p . Us- 
ing Lemma 15.91 we have either that t[a] G |^4 A ]]p or that t[o~] y* raise e. Since terms 
inhabiting the interpretation have values (Lemma I5.13p . in both case we can show that 
either try t [a] with e 1— ► u[o~] reduces to u[o~] or, if t[o~] G [j4 a ]] p , it reduces to some t' 
such that t[a] y* t' . In both case, we can conclude. □ 

Note that in this model, we only consider closed terms by construction. For this very reason, 
we cannot establish a strong normalization theorem using this model. But, from the model, 
we obtain a form a weak head normalization theorem (let us recall that values corresponds 
to weak head normal form): 

Theorem 5.19 (Weak head normalization). If M is a closed term, A a type and T a typing 
context such that T h M : A, then M has a value. 



Proof. This comes directly from the model soundness theorem and Lemma 15.131 



□ 
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The model allows us to prove for instance that our typing of exceptions is safe for the 
primitive data types of the natural numbers: 

Lemma 5.20 (type safety for natural numbers). If M is a term such that h M : N, then 
M y* S n for some n>0. 

Proof. If h M : N, then with Theorem T5.181 M € [N] p . We conclude using Lemma [5TTU1 
and the fact that M is well typed and there is no typing rule for ^. □ 

Hence, if a program is of the type of the natural numbers, we assure that it will compute 
a true natural number without producing errors. 

6. Related Works 

The static detection of uncaught exceptions has been studied in many works, based on 
typing or not. For instance, for the OCaml languages, J.C. Guzmn and A. Surez [7j have 
proposed an extension of the type system where arrows are annotated by the exceptions a 
function can raise. Later, X. Leroy and F. Pessaux [13] have proposed a similar system but 
have added polymorphism over these annotations. Their solution is efficient and covers all 
the Ocaml language, including modularity. However, all these works consider exceptions in 
call-by-value languages and rely heavily on the exceptions-as-control-ffow paradigm. 

In call-by-name, it is standard to use monads to encode exceptions [21], [16] . We have 
however already explained in section 12.11 the drawbacks of such approach. As already 
stressed, from a computational point of view, the exception mechanism described in this 
paper is very similar to the imprecise exceptions of S. Peyton Jones et al. [H] who are 
implemented in the ghc Haskell compiler [17] . The novelty of this paper is to provide a 
precise type system for this exception mechanism while in |14j exceptional values inhabit 
all types. The "imprecision" of imprecise exceptions comes from the willingness to not force 
a particular reduction strategy for primitive binary operators. For instance, with imprecise 
exception the term (raises) + (raise e') evaluates to the set {raise e, raise e'} (hence 
exceptional values are sets). Since in Fx we do not have binary primitive operators, we 
have no need for such so-called imprecision. However, in Fx, the addition should be coded 
using the rec operator, such coding being bound to be non commutative for exceptions (the 
coding have to choose on which operand of the addition the recursion should be performed). 
We however believe that if needed, the typing of exceptions presented in this paper could be 
adapted with almost no changes to the case of imprecise exceptions since our type notions 
already deal with sets of exceptions. 

In the literature, exceptions are often considered as control operators. Note however 
that exceptions have a dynamic semantic, and as such, cannot be compared to static control 
operators like first-class continuations [18j . In particular, the typing of exceptions does not 
necessarily lift the logic to a classical one. Besides, in this paper, we address the problem of 
the static detection of uncaught exceptions. We do not know of previous works on control 
operators dealing with this particular problem. 

Exceptions in type theoretical settings have been less studied. However, R. David 
and G. Mounier [3] have designed a typed mechanism of exceptions for the language AF2. 
However, as with monads, the propagation of exceptions in their system has to be forced by 
means of Krivine's storage operators. Besides, their exceptions are restricted in the sense 
that only data types can carry exceptions and for example, exceptions cannot be used as 
functions. 
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7. Conclusion and future works 

We have presented the Fx calculus, an extension of System F with typed exceptions. We 
have presented a mechanism of exceptions that does not force a particular /3-reduction 
strategy for the calculus. We have also provided a type system for this mechanism that 
performs static detection of uncaught exceptions. This type system is modular and allows 
the use and propagation of exceptions to be transparent for the programmer. Finally, we 
have justified the semantic of our calculus by exhibiting a realizability model. 

This calculus can be improved in a certain number of ways. First, by proving more meta- 
theoretical properties. Our realizability model only allows to prove weak head normalization 
but it could probably be modified in order to prove strong normalization. In fact, we believe 
that the simple change of the definition of the orthogonality relation (definition 15. 4p to 
"M _L C if and only if C[M] y* %t and C[M] is strongly normalizing", would yield a strong 
normalization model (but with this new notion the interpretation will not be closed by anti- 
reduction anymore and proofs will have to be adapted). Moreover, we have not completed 
yet the proof of subject-reduction for Fx. However, a detailed proof of subject-reduction 
for the restriction of the calculus to first-order can be found in [8j (showing that corruption 
does not break intrinsically the subject-reduction property). Adapting this proof to second 
order (and thus to Fx) is however not trivial, not because of corruption, but because of the 
subtyping rules of quantification. Besides, the realizability model already proves a form a 
type safety for the calculus. 

Type inference for Fx is obviously undecidable [25]. But type inference for restrictions 
of Fx, to first-order for instance, remains to be studied, and we have good hopes since we 
know that in such a restriction, the subtyping relation is decidable. 

Exceptions in Fx are simple names. We would like to extend the calculus so that they 
carry arguments. However, we will then need to account in the type system for the types 
of these arguments, which will complicates notably the type system. 

As mentioned in the introduction, we think that corruption is a promising notion for the 
addition of exceptions to proof assistants based on type theoretical calculi. To that end, we 
think that a natural extension would be to add dependent product to our calculus. As our 
type system is heavily based on subtyping, we would build on previous works on subtyping 
in dependent calculus [2j [9]. Moreover, we already know how to extend our realizability 
model to handle the dependent product: if T is a type and U x a type family indexed by x, 
we can take 

\Ux:T.U\ p = (J {M ■ C\Me [T A ] p A C7 G \Ufa\ p ) 
ACS 
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Appendix A. Parallel reduction for Fx 

M > M' M > M' N > N' 

M>M A.r. M » \x. M' M A » .\/' A' 

M > M' N > N' 

(Ax. M) N > M'{x := N'} (raise e) M » raise e 

N > N' 

try (raise e) with £ w JV » A" try (raise e') with eh JV» raise e' 

M > M' N > N' 

try M with e h-> N » try M' with mJV' 
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V 3> V V is a regular value 
try V withe r-> N » V' 

X > X' X > X' Y > Y' iV > N' 

recIF0»I' rec X Y (S N) > Y' N' (rec X' F' TV') 



rec X Y (raises) 3> raise e 

x > x' x > x' y > y g > g l > l' 

list_rec I7[]» X' list_rec X V (cons £ L) » Y' E' U (list_rec X' Y' L') 



list_rec X Y (raise e) 3> raises 
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